> Where you are: Part V, Chapter 35 of 40. Chapter 34 stretched the discipline across IoT, vehicle, and embedded devices — proof that the method survives any new substrate. This chapter introduces a substrate that is different in kind: artificial...
In This Chapter
- The two faces of artificial intelligence in the lab
- The scale problem and the shape of the solution
- Triage at scale: what AI actually does in an examination
- The clinical case: automated detection of known illegal material
- The other face: how synthetic media is made
- Detecting visual deepfakes
- Detecting audio deepfakes
- Biometric inconsistencies
- The provenance turn: proving real instead of catching fake
- The double-edged sword in court
- Reliability, bias, and explainability: the Daubert problem for AI
- Tool demonstration: an AI-assisted triage pipeline, end to end
- Worked example: a vast dataset and a contested video
- Common mistakes
- Limitations: knowing when to stop
- Progressive project: add an AI-assisted triage layer to your case file
- Summary
Chapter 35: AI-Assisted Forensics and Deepfake Detection — Machine Learning at Investigative Scale, and the Synthetic-Media Problem
Where you are: Part V, Chapter 35 of 40. Chapter 34 stretched the discipline across IoT, vehicle, and embedded devices — proof that the method survives any new substrate. This chapter introduces a substrate that is different in kind: artificial intelligence, which is at once the most powerful tool ever handed to an examiner and the most dangerous thing ever placed in evidence. You will learn to use machine learning to triage cases too large for human eyes, and to confront media that machines have fabricated. Anchor case #4 — the forensic image analyzed in court — lives here in two forms, both clinical: AI that reduces an examiner's exposure to the worst material, and the courtroom defense that genuine evidence "might be a deepfake."
Learning paths: This is dual-core territory. The 🔍 Forensic Examiner uses AI to find the needle in a terabyte and must defend every machine-made inference under oath. 🛡️ Incident Response runs triage, log anomaly detection, and entity extraction at the speed a live incident demands. 📜 Legal/eDiscovery meets technology-assisted review (predictive coding), the Daubert problem for black-box tools, the liar's dividend, and the authentication of contested audio and video. 💾 Data Recovery gets a quieter gift: machine-learning file-fragment classifiers that improve carving, perceptual hashing that prioritizes which of a client's thousands of photos to restore first, and OCR that re-identifies an orphaned document.
The two faces of artificial intelligence in the lab
Open a modern case and the first thing that strikes you is not a clue. It is the volume. A single mobile phone now yields a hundred-gigabyte extraction with a quarter of a million photographs; a corporate matter spans a dozen custodians and ten terabytes of mailboxes, file shares, and cloud exports; a ransomware engagement drops a hundred memory images and a month of logs in your lap with the client's payroll run waiting on your answer. The arithmetic is brutal. If an examiner can meaningfully review one image every two seconds for eight hours without pause — an impossible, inhuman pace — that is roughly fourteen thousand images a day, and the phone holds eighteen days of looking. Multiply by the photographs, the documents, the chats, the videos, the logs, and the timeline across every device in the case, and you reach a number no team and no budget can absorb. The bottleneck in twenty-first-century forensics is not acquisition and it is not analysis technique. It is human attention. Artificial intelligence is, first and most honestly, a way to spend that scarce attention where it matters.
That is the first face of AI in the lab: a force multiplier. A trained model can look at all quarter-million photographs in an afternoon and hand you the few thousand that contain a face, a weapon, a document, or a screen; it can read the text inside ten thousand scanned pages; it can transcribe and translate a thousand voice memos; it can read a month of logs and point at the ninety seconds that do not fit. None of this replaces the examiner. All of it prioritizes the examiner — it turns an impossible review into a triaged one, where the machine sorts and the human decides. Hold that distinction tightly, because it is the line between a defensible practice and a malpractice: the machine produces leads; the human produces findings.
The second face is darker and is the reason this chapter exists in Part V rather than the toolkit chapters. The same neural networks that classify a photograph can synthesize one; the models that transcribe a voice can clone it; the systems that read a document can write a fabricated one in a custodian's style. AI is not only a tool you point at evidence — it is increasingly the thing the evidence is made of. A video offered to a jury may show an event that never occurred. A confession may be a voice that the accused never spoke. And — more corrosive than any single fake — the mere existence of convincing synthetic media gives every guilty party a new defense: that the genuine recording of their wrongdoing is itself a forgery. The examiner who masters AI as a tool must, in the same career, learn to distrust media as never before.
Both faces are governed by the same durable discipline this book has taught since Chapter 1. AI is new; the method is not. You still image first and work on a verified copy (the model runs on the copy — the original is sacred, theme #2). You still hash everything, document every tool and version, corroborate across independent sources, and report every finding with its limitations. Technology changes, principles don't (theme #4) has never been tested harder than by a technology that writes its own evidence — and it holds. Anchor case #4 will make both faces concrete and clinical: AI that lets an examiner triage a vast, painful dataset while reducing their exposure to its worst contents, and the cross-examination in which a defense attorney waves a hand at a hashed, provenance-bearing recording and says the word "deepfake."
A working definition you can defend on the stand
You cannot testify about a thing you cannot define plainly, so fix the vocabulary before the techniques. Machine learning is the practice of building a system that learns a function from examples rather than from rules a programmer wrote. You collect labeled data — images marked "contains a face" / "does not," documents marked "responsive" / "not" — and a training process adjusts the millions of internal parameters of a model until it predicts the labels well; then, at inference time, you feed it new, unlabeled data and it outputs predictions. Supervised learning needs labels (a classifier that recognizes weapons); unsupervised learning finds structure without them (clustering near-duplicate photos, flagging anomalies in a log). A neural network is the dominant model family — layers of simple weighted units; a convolutional neural network (CNN) specializes in images; a transformer underlies modern language models and increasingly vision. An embedding is the move that makes all of this practical for triage: the model converts an image, a document, or a face into a vector of a few hundred numbers such that similar things land near each other, so "find me everything like this" becomes a distance calculation.
The single most important sentence in this definition, and the one you will repeat under oath, is this: a model outputs a probability, not a fact. When a classifier says "0.94," it is not saying "there is a 94% chance this is true." It is emitting a calibrated-or-not score that correlates with truth on data resembling its training set, and degrades — sometimes catastrophically and silently — on data that does not. The examiner's job is to treat that number as a place to look, never as a thing to conclude. Everything else in this chapter elaborates that one rule.
Why This Matters. The volume problem is not a convenience complaint; it is an access-to-justice and a safety problem. Cases stall for years in evidence backlogs; investigators in child-exploitation and human-trafficking units burn out from exposure to material no person should review in bulk. AI triage, used correctly, shortens backlogs and shields examiners by surfacing the relevant fraction and letting the rest stay unopened. Used incorrectly — as an oracle whose scores are mistaken for findings — it launders machine error into human testimony and convicts on a number nobody can explain. The sixth theme, the human cost is real, cuts both ways here: AI can protect the people in this work, or it can harm the people the work is about. Which one depends entirely on the discipline in this chapter.
The scale problem and the shape of the solution
Before any specific technique, internalize the shape of an AI-assisted examination, because it is the same regardless of which model you use. You never point a model at an original device or even at a raw image and let it "decide." You stage it:
THE AI-ASSISTED EXAMINATION (data flows one way; humans gate every exit)
verified forensic image (E01, hashed) ← the original is sacred
│ mount read-only / export working copies (hashed)
▼
[1] DATA REDUCTION known-file filtering (NSRL/KFF), de-duplication
│ (throw away what is provably irrelevant)
▼
[2] ENRICHMENT classify · OCR · transcribe · translate · extract
│ entities · cluster · score anomalies
▼
[3] PRIORITIZED QUEUE machine-ranked leads, each with a score + provenance
│
▼
[4] HUMAN REVIEW ←── the ONLY place a "finding" is created
│ examiner confirms, rejects, documents
▼
[5] REPORT findings cite artifacts, not model scores;
every model named, versioned, and caveated
Three properties of this pipeline are non-negotiable. First, it is read-only and copy-based: models are hungry, stochastic, and occasionally write temp files; none of that touches the verified image. Second, it is auditable: every stage records what model, what version, what threshold, and what inputs produced what outputs, so a stranger — opposing counsel's expert — can replay it. Third, the human gate at stage 4 is the only place a finding is born; stages 1–3 produce ranked suggestions and nothing else. An examination that lets a model's output flow straight into a report has skipped the only step that makes the work forensic.
Triage at scale: what AI actually does in an examination
"AI triage" is not one capability; it is a half-dozen distinct techniques, each solving a different slice of the volume problem. Learn them as separate tools with separate failure modes.
Known-file filtering and the hashing spectrum
The cheapest, oldest, and most reliable form of data reduction is not "AI" at all — it is hashing — and it belongs first because it removes the haystack before you search for the needle. There are three rungs on the hashing ladder, and confusing them is a classic error.
Cryptographic hashing (MD5, SHA-1, SHA-256, owned by Chapter 5 — The Forensic Process) produces a fixed digest that changes completely if a single bit changes. Its forensic superpower is exact identity: two files with the same SHA-256 are, for all practical purposes, the same file. This drives known-file filtering: NIST maintains the National Software Reference Library (NSRL), a published set of hashes of known operating-system and application files. Hash every file in your image, drop the ones that match the NSRL, and you have eliminated millions of Windows DLLs, fonts, and installer payloads that no examiner needs to read — what FTK calls the Known File Filter (KFF). The same mechanism, run against a known-bad hash set, flags known-contraband instantly.
# DATA REDUCTION: keep only files NOT in the NSRL known-good set.
# (-x = show non-matching; -k = the known-hash set; illustrative, not executed)
hashdeep -c sha256 -r -k nsrl-sha256.txt -x ./evidence/ > unknown-files.txt
# Now your review set is "files the world has never catalogued" — the interesting ones.
Fuzzy hashing answers a question cryptographic hashing cannot: "are these two files similar?" ssdeep (context-triggered piecewise hashing, after Jesse Kornblum's work on spamsum) and sdhash and TLSH produce hashes that stay close when files are nearly identical — the same document with one paragraph added, the same malware sample with a tweaked string. A match score of, say, 88 between two files says "these share most of their bytes," which surfaces edited copies, partial recoveries, and malware variants that exact hashing scatters.
ssdeep -r ./evidence/ > sigs.txt # build fuzzy signatures
ssdeep -m sigs.txt ./suspect-folder/ # report similarity matches (0-100)
Perceptual (robust) hashing is the rung that matters most for images and the bridge to the synthetic-media discussion later. A perceptual hash — aHash (average), dHash (difference, Neal Krawetz), pHash (DCT-based), or the proprietary PhotoDNA — hashes what an image looks like, not what its bytes are, so it survives resizing, recompression, format conversion, and minor cropping. Two visually identical JPEGs saved at different qualities have wildly different SHA-256 digests but nearly identical perceptual hashes. The illustrative mechanism, with dHash, is short enough to read:
# Illustrative perceptual hash (dHash). PhotoDNA is proprietary and NCMEC-controlled;
# this is the publicly understandable analog. Never executed here.
from PIL import Image
def dhash(path, hash_size=8):
img = Image.open(path).convert("L").resize((hash_size + 1, hash_size))
bits = 0
for row in range(hash_size):
for col in range(hash_size):
left = img.getpixel((col, row))
right = img.getpixel((col + 1, row))
bits = (bits << 1) | (1 if left > right else 0) # is each pixel brighter
return bits # than its right neighbor?
def hamming(a, b):
return bin(a ^ b).count("1") # number of differing bits
# Two versions of the same photo (one re-saved by a chat app) stay CLOSE:
# dhash(original) ^ dhash(resaved) -> Hamming distance 0-4 => "same image"
# distance > ~10 -> "different image"
The lesson that ties all three rungs together is the book's first theme seen from a new angle: cryptographic hashing proves deleted ≠ destroyed when a recovered fragment matches a known file exactly; perceptual hashing extends that to "this is the same picture even though the bytes were changed," which is exactly what you need when contraband or stolen IP travels through apps that re-encode it.
Image classification and object detection
With the haystack reduced, supervised CNN classifiers sort what remains. Trained models tag images by content category — contains a face, contains a document or screenshot, contains a weapon, contains currency or a credit card, contains a vehicle or license plate, contains explicit nudity — and object detectors go further, drawing boxes around and labeling the things inside a single frame. In a corporate matter you might classify for "screenshots of source code" and "photographs of whiteboards"; in a fraud case, for "checks and financial documents"; in a missing-person case, for "outdoor scenes with identifiable signage." The output is never a verdict. It is a ranked queue: the examiner reviews the high-confidence "weapon" images first, but reviews them — the model's 0.97 is the reason this image is near the top of the pile, not the reason it goes in the report.
TRIAGE CLASSIFIER OUTPUT (illustrative — feeds a human review queue)
file top label conf 2nd label conf
IMG_00913.jpg document 0.981 screenshot 0.774
IMG_01244.jpg currency 0.942 document 0.611
IMG_02071.heic face 0.918 indoor_scene 0.880
IMG_02488.jpg vehicle 0.889 license_plate 0.547
... ... ...
Reviewed by examiner? [ ] Confirmed? [ ] Notes: __________________
Near-duplicate detection and clustering
Embeddings turn the surviving images into vectors and let you do two things humans cannot do at scale. Near-duplicate grouping collapses the forty-one slightly different versions of one screenshot (each shared, re-saved, and re-shared) into a single review item — enormous savings, and a way to trace how one image propagated. Clustering groups images by scene or subject without any labels at all: all photos taken in one room, all photos of one document, all frames from one video. For the examiner this converts "review 18,000 photos" into "review 600 clusters and drill into the interesting ones." For investigators of organized activity it surfaces structure — the same backdrop across images from different devices ties them together.
OCR, transcription, and translation
A vast amount of evidence is text that is not stored as text. Optical character recognition (OCR) — Tesseract in the open-source world, the engines inside Axiom and other suites in the commercial one — reads the words inside scanned documents, photographs of papers, screenshots, and even text baked into images precisely to evade keyword search. Automatic speech recognition (ASR) — Whisper-class models — transcribes voice memos, call recordings, and the audio tracks of video, turning hours of listening into searchable text. Machine translation renders foreign-language chat, email, and documents into the examiner's language. Each of these is a transformative force multiplier and each carries the same warning in bold: the output is a lead, not a transcript of record.
tesseract scanned_ledger.png ledger_text -l eng # OCR an image of text
whisper interview.m4a --model medium --task transcribe # ASR -> searchable text
whisper foreign_call.m4a --model medium --task translate # ASR + translate to English
OCR mis-reads a 0 as an O and a 1 as an l; ASR mishears names, numbers, and crosstalk and will confidently transcribe speech that is not there; machine translation flattens idiom, dialect, and the very ambiguity that may be the point of a message. You use these to find the relevant document or the relevant minute of audio; you then read or listen to the original yourself, and the original — not the machine's rendering — is what you quote in a report. An OCR'd dollar figure or a translated threat that decides a case must be verified by a human against the source, every time.
Entity and relationship extraction
In a large document and communications set, the question is often not "what is in this file" but "who is connected to whom, and how." Named-entity recognition (NER) scans text and pulls out people, organizations, locations, dates, money amounts, email addresses, phone numbers, and account identifiers; relationship extraction and link analysis then assemble those entities into a graph you can navigate. This is where anchor case #2 — the employee who covered their tracks — meets AI. Across that custodian's mailbox, chat logs, and documents, NER surfaces the recurring external email address, the shell-company name buried in a contract, and the personal cloud account referenced in a message; link analysis draws the lines between them and reveals the exfiltration network that no single document showed.
# Illustrative NER over a custodian's text corpus (spaCy-style). Not executed here.
import spacy
nlp = spacy.load("en_core_web_trf")
def entities(text):
doc = nlp(text)
return [(ent.text, ent.label_) for ent in doc.ents
if ent.label_ in {"PERSON", "ORG", "GPE", "MONEY", "DATE", "EMAIL"}]
# Feed every message/document, accumulate (entity, source_file) pairs, then build a graph:
# nodes = entities ; edges = co-occurrence in the same document/thread
LINK-ANALYSIS GRAPH (anchor #2, entities auto-extracted, edges = co-occurrence)
[j.morales]───emails───►[external: rk_consulting@proton.me]
│ │
authored registered-to
▼ ▼
[Q3-pricing-model.xlsx]────referenced───[Meridian Holdings LLC]
│ ▲
uploaded-to named-in
▼ │
[personal Dropbox]──────same-thread────┘
Machine drew the lines; the EXAMINER decides what they mean.
The graph is a magnificent lead generator and a dangerous thing to over-read. NER mislabels (a person named "Brooklyn" tagged as a place; an org and a product confused); co-occurrence is not collusion; and the absence of an edge is not proof of no relationship. You use the graph to decide where to read the actual messages, and the messages — corroborated as Chapter 19 — Email, Chat, and Social Media Forensics teaches — are the evidence.
Anomaly detection in logs and timelines
The final triage technique is unsupervised and aimed at the haystack of events. A timeline (Chapter 21 — Timeline Analysis) or a month of authentication logs holds millions of entries, almost all normal. Anomaly detection learns "normal" — the usual hours, the usual volumes, the usual sequences — and flags what deviates: a logon at 02:14 from an account that has never worked nights, a single user reading ten thousand files in an hour, an "impossible travel" pair of logins from two continents twenty minutes apart, a process that ran once and never again. The simplest methods (a z-score on events-per-hour) are explainable and often enough; richer ones (isolation forests, autoencoders that reconstruct "normal" and flag high reconstruction error) catch subtler patterns at the cost of explainability.
# Illustrative anomaly flag: z-score on per-hour event counts. Explainable on the stand.
import statistics
def flag_anomalies(counts_by_hour, z=3.0):
mu = statistics.mean(counts_by_hour.values())
sd = statistics.pstdev(counts_by_hour.values()) or 1
return {h: c for h, c in counts_by_hour.items() if abs((c - mu) / sd) >= z}
TIMELINE WITH ANOMALY FLAG (anchor #2 — the 2 a.m. that should not exist)
2024-03-14 17:58 logoff j.morales (normal end of day)
2024-03-15 02:11 logon j.morales ⚑ z=4.7 off-hours, account never works nights
2024-03-15 02:13 USB connect VID_0781 ⚑ first-seen device this account
2024-03-15 02:14 4,212 files read in 7 min ⚑ z=9.1 volume spike
2024-03-15 02:31 logoff j.morales
The machine RANKED these three lines out of 1.2M. The examiner PROVES what they mean
with registry USB history (Ch.16), $FILE_NAME MFT timestamps, and the timeline (Ch.21).
The anomaly score told you which ninety seconds of a million log lines to examine. It did not tell you a theft occurred — the registry USB artifacts, the MFT $FILE_NAME timestamps the employee could not alter, and the corroborated timeline did that. The model bought you the most precious thing in a large case: where to look first.
Recovery vs. Forensics. Machine learning is genuinely dual-use, and perceptual hashing plus classification is the cleanest example in this chapter. For the 💾 recovery technician facing a client's reformatted drive — the deleted wedding photos of anchor case #1 — a CNN that recognizes faces and a perceptual-hash deduplicator turn ten thousand carved-but-orphaned image fragments into a prioritized restoration: "here are the 300 distinct photographs that contain people, ranked by how complete the recovery is," so the irreplaceable family pictures surface first instead of last. The very same classifier and the very same hash, pointed at a forensic image, triage contraband or stolen IP for the 🔍 examiner: identical math, one discipline using it to give a family back its memories, the other to surface evidence under a warrant. And ML file-fragment classifiers — models that label a 512-byte block as "JPEG body," "ext4 metadata," or "encrypted/compressed" — sharpen the carving of Chapter 7 — File Carving for recovery and reconstruction alike.
The clinical case: automated detection of known illegal material
Anchor case #4 obliges this chapter to address, clinically and non-graphically, how AI assists the most consequential and most painful examinations — and to be precise about what it does and does not do. We discuss only procedure, law, and ethics. We never describe content.
The dominant technology is robust perceptual hashing of known material, of which Microsoft's PhotoDNA (developed with Hany Farid, in service since around 2009) is the archetype. PhotoDNA converts an image to grayscale, normalizes its size, partitions it into a grid, and computes a compact signature from the gradients of each cell — a hash on the order of 144 bytes that is robust to resizing, recompression, and minor alteration. The National Center for Missing & Exploited Children (NCMEC) and partner organizations maintain hash lists of previously identified material; platforms and investigators match candidate images against those lists by distance threshold, not exact equality. The single most important property — the one an examiner must state plainly and an attorney must understand — is this: PhotoDNA finds known material. It does not classify new, unknown images. A match means "this is, to a high probability, a previously catalogued image"; a non-match means nothing about whether an unknown image is contraband. New material requires human determination under legal authority.
The procedural handling follows directly and is not improvised at the keyboard. A hash match is a lead that triggers process: the examiner operates within the scope of the warrant or engagement; a qualified human reviews flagged material only as the legal authority permits; every step is logged to the chain of custody as rigorously as any disk image (the matched item is hashed, its source recorded, the tool and hash-list version noted); and discovery of such material triggers mandatory reporting — in the United States, the duty under 18 U.S.C. §2258A for electronic service providers, and the broader legal framework that governs investigators. The authority that defines what you may open is owned by Chapter 25 — The Legal Framework; the ethics, reporting duties, and examiner well-being are owned by Chapter 28 — Ethics.
There is a humane dimension to this technology that the sixth theme makes central. Used well, hashing and classification reduce an examiner's exposure to traumatic material: known material can be flagged, set aside, and reported without a human re-viewing what has already been identified; review interfaces can present grayscale, blurred, or thumbnail-only previews; and triage means a person opens the few items that genuinely require human judgment rather than scrolling through thousands. Secondary traumatic stress in this work is real, documented, and a managed occupational hazard — AI, deployed with care, is one of the few tools that makes the work survivable. That, too, is the human cost is real: the technology serves the victims in the images and the investigators who must do this work.
Ethics Note. Two duties sit in tension and you must honor both. The first is to the investigation and the public: a hash match is a lead you are often legally obligated to act on and report (§2258A and the framework in Chapter 25). The second is to scope and to the human in the data: you open only what authority permits, you do not go content-spelunking beyond the warrant, and you protect your own well-being and your team's because a broken examiner serves no one. When a match surfaces, the correct first move is never another double-click — it is stop, document, and follow the established procedure. Chapter 28 — Ethics owns this fully.
Limitation. Robust hashes are not infallible. They match known material only; they can in principle produce false positives at a given threshold; and researchers demonstrated, against Apple's later NeuralHash proposal in 2021, that perceptual-hash systems can be adversarially attacked — engineered images that collide with a target hash (a false positive) or near-duplicates altered to evade a hash (a false negative). The forensic consequence is firm: a hash match is probable cause to look, examined by a human under authority — never, by itself, a conclusion. The system that was abandoned amid that very controversy is a standing reminder that these tools are powerful, imperfect, and politically fraught.
The other face: how synthetic media is made
To detect a fake you must understand how it was built, because every generation method leaves characteristic traces — the third theme, every action leaves a trace, applied to pixels and waveforms a machine produced. Four families dominate.
Autoencoder face-swapping is the original "deepfake" (the technique that named the field). Two autoencoders — networks that compress an image to a small latent code and reconstruct it — are trained on faces A and B while sharing a single encoder. To swap, you encode a frame of person A and decode it with B's decoder: A's pose and expression, rendered as B's face. Tools like DeepFaceLab and FaceSwap automate it. Because the synthetic face is then composited back onto the original frame, this family's signature is the blend — the boundary where generated face meets real head.
Generative adversarial networks (GANs) pit a generator that fabricates images against a discriminator that tries to catch fakes; trained to equilibrium, the generator produces wholly synthetic, photorealistic content. StyleGAN is the archetype behind "this person does not exist" faces. GANs build images by upsampling from a low-resolution seed through transposed convolutions, and that upsampling leaves periodic, grid-like traces in the frequency domain — a fingerprint we exploit below.
Diffusion models (the technology behind Stable Diffusion, DALL·E, Midjourney) are the current state of the art: they learn to reverse a noising process, starting from pure noise and denoising step by step into an image conditioned on a text prompt. They produce extraordinarily convincing stills and, increasingly, video, with subtler artifacts than GANs.
Reenactment, lip-sync, and voice cloning round out the threat. Reenactment (Face2Face-style) transfers one person's expressions onto another's face in video; lip-sync (Wav2Lip-style) drives a target's mouth from an arbitrary audio track; voice cloning / neural text-to-speech (the lineage of WaveNet and Tacotron through today's commercial voice services) synthesizes speech in a target's voice from minutes — sometimes seconds — of sample audio. The result that lands in your lab is often a combination: a swapped or reenacted face, lip-synced to a cloned voice, composited into a real scene. Each component contributes its own artifacts, and detection is the art of finding several at once.
Detecting visual deepfakes
There is no button that prints "fake." There is a battery of independent tests, each producing a lead, and a discipline of convergence — exactly the posture Chapter 20 — Photo, Video, and Document Forensics built for image manipulation, now under harder conditions. Work through the battery knowing that any single tell can be a false alarm and that a competent forger may have eliminated several.
Blending and boundary artifacts
Because face-swaps composite a generated face onto a real frame, the blend boundary is the first place to look: a faint seam around the face, jaw, or hairline; a resolution or sharpness mismatch where a smooth synthetic face meets a textured real neck; a color or contrast discontinuity at the edge; warping of the background near the face from imperfect alignment. The research detector Face X-Ray (Microsoft Research, 2020) is built precisely on this insight — it learns to find the blending boundary rather than the synthesis itself, which makes it generalize across face-swap tools better than detectors trained on one generator.
Lighting, shadow, and reflection
Real scenes obey one physics; composited faces frequently do not. The lighting direction on an inserted face may disagree with the scene's light sources; cast shadows may be missing or wrong; and — a remarkably durable tell — the specular highlights in the two eyes should reflect the same environment. In genuine photographs both corneas show consistent, matching reflections of the light sources; in many GAN and swap outputs the two eyes' highlights differ in shape, position, or number, because the model rendered each region without a global physical model of the scene.
Eyes, blinking, gaze, and teeth
The face's fine structures resist synthesis. Early deepfakes blinked too rarely or unnaturally — the 2018 "In Ictu Oculi" work detected fakes by eye-blink rate — a tell that later models largely fixed, which is itself the lesson: detection is a moving target. Pupils in GAN faces are often subtly non-circular or irregular; gaze may be misaligned between the eyes; teeth frequently render as a white blob lacking individual tooth boundaries because the model never learned them as discrete objects. Earrings, glasses reflections, and other paired accessories are often asymmetric in synthetic faces.
Temporal inconsistency and flicker
Video adds the dimension generators struggle with most: time. Many methods operate frame by frame, so across frames you see flicker at the face boundary, identity drift (the face subtly becomes a different face), jitter in the blend, and discontinuities at the cuts where a generated segment was spliced into a real clip — disturbing the GOP/I-frame cadence in exactly the way Chapter 20 taught you to read. Stepping through a clip frame by frame, watching the boundary and the eyes, remains one of the most productive manual techniques.
Frequency-domain traces — the GAN fingerprint
The most robust class of artifact is invisible to the eye and visible in the spectrum. The upsampling operations inside GANs (and, in different form, other generators) imprint periodic, grid-like patterns in the frequency domain. Transform an image to its 2-D Fourier or DCT spectrum and a real photograph shows a smooth, naturally decaying distribution; many synthetic images show regular peaks — a comb or lattice — that no camera produces. Different generator architectures leave different spectral signatures, which has been used both to detect synthesis and to attribute an image to a model family.
FREQUENCY-DOMAIN SIGNATURE (2-D spectrum, schematic — magnitude vs. frequency)
real camera image: ▁▂▃▅▇█▇▅▃▂▁ smooth, monotonic falloff
GAN-upsampled image: ▁▂█▁▂█▁▂█▁▂█▁ periodic peaks (transposed-conv grid)
└─ regular lattice = an upsampling fingerprint, not optics
(Compare to the JPEG double-compression comb of Ch.20 — same idea, new cause.)
Physiological signals — the heartbeat the fake lacks
A genuine video of a real face contains a signal no viewer sees: the skin's color shifts minutely with each heartbeat as blood perfuses the face — remote photoplethysmography (rPPG). Across the regions of a real face this pulse is coherent and consistent; synthetic faces typically lack a physically coherent heartbeat, or show inconsistent rPPG across face regions. Intel's FakeCatcher (2022) is built on this principle and reports high accuracy in vendor testing — a figure to cite as a vendor claim validated on their data, not as a courtroom error rate.
Limitation. Read this entire battery through the fifth theme. Every tell above is a lead, every detector is in an arms race it is currently losing, and the headline reliability problem is generalization: detectors trained on known generators collapse on unseen ones. The 2020 Deepfake Detection Challenge is the canonical evidence — top models scored around the low-80s percent on the public test set and fell to roughly 65% on the held-out, "black-box" set of unfamiliar fakes. A coin flip is 50%. A detector that is 65% accurate on the kind of fake you actually care about — the new one — cannot, by itself, support a courtroom conclusion. You use these tests the way Chapter 20 used ELA: to find where to look and to build convergence across independent methods plus a plausible account of how the media was made.
DEEPFAKE DETECTOR OUTPUT (illustrative ensemble — note the spread, not just the mean)
clip: statement_exhibit-12.mp4 (1,840 frames analyzed)
detector score(0=real,1=fake) note
blend-boundary (Face X-Ray) 0.71 elevated at jawline
frequency-domain 0.66 weak periodic peaks
eye-reflection consistency 0.58 mild mismatch L/R
rPPG (heartbeat coherence) 0.49 inconclusive
temporal flicker 0.63 boundary shimmer @ 00:07-00:09
ENSEMBLE MEAN 0.61 ← a LEAD. Not a finding. Generalization unknown
for this generator. Corroborate w/ provenance,
metadata (Ch.20), acquisition (Ch.14), timeline.
Detecting audio deepfakes
Cloned voices defeat people more easily than faces — there are fewer cues and we are quicker to trust a familiar voice on a phone — so audio detection deserves its own battery. Synthetic speech leaves spectral artifacts: vocoders and neural synthesizers produce unnatural energy in the high frequencies, missing or smeared harmonics, and statistical regularities a spectrogram reveals to a trained eye and a classifier alike. It tends to lack the micro-variations of a real glottal source — the natural jitter and shimmer of human pitch and amplitude — and to render prosody that is subtly flat or mis-stressed. It frequently omits the involuntary sounds of real speech: breaths in the wrong places or none at all, lip smacks, swallows. And it often carries no consistent room acoustics — the reverberation and background that a real recording in a real space always has, or it carries a reverb that does not match the claimed environment. The research community benchmarks this work through the ASVspoof challenge series, and the same generalization problem applies: detectors trained on known synthesizers struggle with new ones.
The scenario that brings this to ground is voice-clone fraud — the "CEO call" in which a finance employee receives an urgent voicemail or live call, in a perfectly familiar executive voice, authorizing a wire transfer. For the 🛡️ incident responder, the artifacts above plus the out-of-band facts (the call's origin, the absence of corroborating email, the impossible timing) are what break it. As with images, no single audio tell convicts; convergence does.
Biometric inconsistencies
Beyond per-pixel artifacts, biometric analysis asks whether the person is physically consistent. Head-pose estimation compares the 3-D orientation implied by inner-face landmarks against that implied by the whole head; swaps that paste a face at a slightly wrong angle produce a mismatch. Identity consistency checks whether the face's measurements drift across a clip (a real person's bone structure does not). Gait, ear morphology, and hand details (synthetic hands remain notoriously hard for many generators) add further independent signals. Each is one more lead in the convergence stack — and each is subject to the same caution: a single biometric oddity can have an innocent explanation (camera distortion, motion blur, an unusual angle), and presenting one as proof is how an examiner is impeached.
The provenance turn: proving real instead of catching fake
The strategic conclusion of the detection arms race is sobering and clarifying: detection alone is a losing game because generators improve faster than detectors, and a detector can only recognize fakery it has seen. The field's center of gravity is therefore shifting from "catch the fake" to prove the real — from interrogating pixels to establishing provenance, the cryptographically verifiable history of a piece of media. This is the durable, fourth-theme answer: you cannot win a pixel arms race forever, but you can build a chain of evidence about where media came from, and that is exactly the kind of problem forensics has always solved.
Cryptographic provenance: C2PA Content Credentials
The leading standard is C2PA — the Coalition for Content Provenance and Authenticity, formed in 2021 (Adobe, Microsoft, Intel, Arm, BBC, Truepic, Sony, and others, merging the earlier Content Authenticity Initiative and Project Origin). C2PA defines Content Credentials: a cryptographically signed manifest attached to a media file that records assertions about its history — what device captured it, what edits were applied, whether and how AI was involved in its creation. The manifest is a chain of signed claims (using COSE/X.509 certificates) bound to the asset by a hash, embedded in the file as a JUMBF (JPEG Universal Metadata Box Format) structure — in JPEG, inside an APP11 (FF EB) segment; in PNG, in a caBX chunk. Because the signature covers a hash of the content, the credential is tamper-evident: alter the pixels and the binding breaks, which a validator reports.
C2PA CONTENT CREDENTIAL in a JPEG (APP11 / JUMBF — annotated, bytes shown are real)
FF EB APP11 marker (C2PA Content Credentials live here in JPEG)
<2-byte length> big-endian segment length
4A 50 "JP" common identifier for JUMBF-in-APP11
<box instance><seq> JUMBF box-instance number + packet sequence
.. .. .. .. 6A 75 6D 62 LBox + "jumb" JUMBF superbox
.. .. .. .. 6A 75 6D 64 + "jumd" description box
63 32 70 61 00 "c2pa" → this manifest store holds a C2PA claim:
• signer (X.509 cert chain)
• assertions: capture device, edit history,
"AI-generated" / "AI-edited" actions
• hash binding the claim to THESE pixels
Edit the pixels → the hash binding fails → validator reports "tampered."
# Inspect Content Credentials with the C2PA reference tool (illustrative).
c2patool statement_exhibit-12.mp4 # print the manifest store (JSON)
c2patool photo.jpg --detailed # full claim, assertions, signer chain
Read C2PA with the same two-handed discipline you apply to EXIF, and for the same reason — it is metadata, and metadata has limits. A valid credential signed by a trusted device or editor is strong, hard-to-forge evidence of origin and edit history. But a credential can be stripped (most platforms still discard it on upload, exactly as they strip EXIF), so its absence proves nothing — an unmarked file is not therefore fake. It is only as trustworthy as the signer (a credential signed by an untrusted or self-issued key asserts only what that signer chose to assert). And it records that AI was used when an honest tool reports honestly; it cannot force a malicious pipeline to confess. C2PA shifts the question from "is this fake?" to "what is the verifiable provenance, and does the credential survive validation?" — a question with a defensible answer. Camera-side signing is the upstream half: the Leica M11-P (2023) was the first camera to embed Content Credentials at capture, with Sony, Nikon, and secure-capture vendors like Truepic following — provenance asserted at the moment of the shutter, before any editing pipeline.
Watermarking and known-synthetic hashing
A complementary approach embeds an invisible signal at generation time. Google DeepMind's SynthID watermarks AI-generated images, audio, video, and text so that a detector can later recognize the content as machine-made even after some transformations; statistical text watermarking for large language models (the "green-list/red-list" token-biasing approach of Kirchenbauer and colleagues, 2023) tags AI-written text. Watermarks are promising and partial: they help only when the generator cooperated (an adversary's model will not watermark), and they can be degraded by heavy editing, cropping, paraphrase, or re-encoding. Finally, the hashing techniques from earlier in this chapter apply to synthetic content too — once a specific fake is identified, its perceptual hash can flag re-uploads at scale, the same mechanism used for known illegal material.
Tool Tip. Treat a Content Credential as one input among several, exactly as you treat EXIF. Verify it with
c2patoolor Adobe's Content Credentials Verify, record the signer and the validation result, and state plainly what a pass, a fail, and an absence each mean: a pass corroborates provenance, a fail indicates tampering after signing, and an absence is silent — it neither indicts nor exonerates. Never let "no credential" become "therefore fake," and never let "valid credential" become "therefore the depicted event is true" — the credential attests to the file's history, not to the reality of what it portrays. The broader tool inventory is Appendix C — Tool Reference.
The double-edged sword in court
The two faces of AI meet in the courtroom, where AI is simultaneously a tool the examiner used, evidence the parties offer, and a defense the parties raise.
AI-generated evidence
Increasingly the content of a case is itself AI output. Chatbot conversation logs are offered to show intent; AI-authored documents masquerade as human work product; and — most insidiously for our own profession — forensic tools now embed machine learning internally, so a triage classifier, a face-matcher, or an "AI insights" panel in a commercial suite becomes a black box whose output flows toward a report. A special hazard is the AI summary: a model asked to summarize ten thousand documents or a long chat will produce fluent, confident prose that may hallucinate — assert facts not in the source. The rule is unbending: AI-derived summaries, translations, and classifications are leads to verify against primary evidence, never quotations of record. If your suite used a model to reach a conclusion, you must be able to name the model, its version, and its known limits — or you cannot defend the conclusion.
Synthetic illegal material — the legal line, clinically
A genuinely difficult question, treated here at the level of law and procedure only, is AI-generated child sexual abuse material. The legal landscape in the United States runs from Ashcroft v. Free Speech Coalition (2002), which struck down portions of the 1996 statute that had criminalized purely "virtual" material with no real child, to the PROTECT Act of 2003 and 18 U.S.C. §1466A, which criminalize obscene visual depictions including computer-generated ones, framed to satisfy First Amendment limits; many states enacted AI-specific statutes in 2023–2024. The forensic challenge is distinct from the legal one: PhotoDNA and known-hash matching identify previously catalogued, real-victim material and will not match novel synthetic images, so triage tuned to known hashes can miss AI-generated material entirely, while the determination of whether new material is unlawful is a legal judgment made by humans under authority — not a model's output. Mandatory-reporting duties and scope discipline continue to apply. This paragraph is procedure and law; Chapter 28 — Ethics and Chapter 25 own the full treatment.
The liar's dividend
The most corrosive courtroom effect of synthetic media requires no fake at all. The liar's dividend — named by Bobby Chesney and Danielle Citron (2019) — is the deniability that the mere existence of deepfakes confers on the guilty: when everyone knows video can be faked, any genuine recording can be dismissed as a possible fake. A real confession, a real surveillance clip, a real recorded statement is met not with rebuttal but with a shrug — "that could be a deepfake." This reached litigation in a 2023 Tesla matter, where, faced with the plaintiff's use of recorded public statements by the company's CEO, defense lawyers suggested the executive could be a target of deepfakes and the statements might not be authentic; the judge was openly skeptical and ordered the deposition to proceed. The episode is a warning shot: the defense will be raised, sincerely or cynically, and you must be ready.
The answer to the liar's dividend is not a better deepfake detector — it is the authentication discipline this whole book teaches. Under Federal Rule of Evidence 901, the proponent of a recording must support a finding that it is what it claims to be, and the examiner is how that burden is met: chain of custody from the source (Chapter 14 — Forensic Acquisition), hash verification, container and codec metadata (Chapter 20), Content Credentials where present, corroborating timeline and device artifacts (Chapter 21), and the convergence of the detection battery. A recording pulled directly from a hashed device extraction, with consistent metadata, a clean acquisition trail, and no artifacts of synthesis, is authenticated — and "it could be a deepfake," unsupported, is not evidence. Provenance defeats the liar's dividend where a pixel detector cannot.
Legal Note. When opposing media is offered — or your client's genuine media is attacked — the examiner's task is authentication, not a binary "real/fake" pronouncement. Build the case the way you build any forensic finding: acquisition trail, hashes, metadata, provenance credentials, corroborating artifacts, and a detection battery whose convergence and stated limits you can defend. The frameworks for authentication, Daubert/FRE 702 admissibility of your methods, and the duty to disclose your techniques' limitations are developed in Chapter 25 — The Legal Framework and Chapter 27 — Expert Testimony. The one-sentence rule: testify to provenance and convergence with their limits, never to a single model's verdict.
Reliability, bias, and explainability: the Daubert problem for AI
Every AI tool you use is, the moment it touches a case, a method whose reliability the court may scrutinize — and AI strains the gatekeeping standards more than any technique in this book. Under Daubert v. Merrell Dow (1993) and FRE 702, a judge weighs whether a method is testable, has a known or potential error rate, has been subjected to peer review, operates under controlling standards, and enjoys general acceptance. Apply those five factors to a deep-learning classifier and the difficulties are immediate.
Error rate is the sharpest. A model's accuracy is meaningful only relative to data resembling its training set; on out-of-distribution inputs — the new deepfake generator, the unusual file type, the underrepresented population — the real error rate is often unknown and far worse than the published figure. A tool that is 95% accurate in the lab and 65% on the fakes you actually face does not have a "95% error rate" in any sense a court should credit. Explainability is the second wall: many models are black boxes that cannot say why they scored an image 0.9, and a method whose reasoning cannot be examined is hard to test and hard to cross-examine. Post-hoc explanation tools — SHAP, LIME, saliency maps, Grad-CAM — help indicate which inputs drove a decision, but they are themselves approximations, not the model's actual reasoning, and must not be oversold as such.
Bias is the third, and it is both a reliability and a justice problem. A model is only as representative as its training data, and the disparities are documented: NIST's Face Recognition Vendor Test (the demographic study, NISTIR 8280, 2019) found false-positive rates that varied by orders of magnitude across demographic groups for many algorithms. A triage classifier trained on a skewed corpus may systematically under-rank or over-flag certain content, certain people, certain dialects in transcription and translation — and a biased lead can send an investigation in a biased direction. Reproducibility is the fourth strain: models are sometimes nondeterministic, vendors update them silently so last month's output is not reproducible today, and a "result" you cannot reproduce is a result you cannot defend. And the fifth, peculiarly modern, problem is access: a commercial model's weights and training data are trade secrets, so neither you nor the opposing expert can fully inspect the method — raising confrontation and defense-access concerns the courts are only beginning to work through.
The professional posture that all of this dictates is the spine of the chapter. AI output is a lead; the human examiner is the accountable author of every finding. You validate the tools you rely on as you validate any forensic tool — against known datasets, following SWGDE and NIST CFTT-style practice — and you document the model, its version, its validation, its measured error rate on a representative set, and the human verification that confirmed each conclusion. You never present a score you cannot explain as proof, you disclose the method's limits as part of the finding, and when the model and the evidence disagree, the evidence wins. The full admissibility and testimony treatment is Chapter 27 — Expert Testimony.
Why This Matters. A vivid, confident machine output — a glowing classifier score, a fluent AI summary, a "94% likely fake" — feels like proof in a way that tempts tired examiners and persuades juries. That feeling is the danger. The same humility Chapter 20 demanded for ELA is mandatory here at higher stakes: each model is a hypothesis generator; conclusions require convergence across independent methods plus a plausible mechanism plus human verification; and "the analysis is consistent with synthesis but does not establish it," or "insufficient to determine authenticity," is frequently the most honest finding available. An examiner who can say that under oath is more credible, not less.
Tool demonstration: an AI-assisted triage pipeline, end to end
Bring the techniques together as one auditable workflow over anchor case #2's corporate dataset (ten custodians, multi-terabyte) — the discipline is identical for any large matter. You begin where you always begin: verified, hashed forensic images, mounted read-only, with working copies exported and hashed. Nothing below touches an original.
# STAGE 1 — DATA REDUCTION (hashing; not AI, and that's the point — do the cheap win first)
hashdeep -c sha256 -r -k nsrl-sha256.txt -x ./mnt/case/ > review_set.txt # drop known-good
ssdeep -r ./mnt/case/ > fuzzy.txt # find near-dupes
# 10.2 TB ─▶ 1.1 TB of "files the world has never catalogued" (≈ 89% reduction)
# Windows-workstation equivalent for the hash-and-reduce step (forensic boxes are often
# Windows). Hash the mounted, read-only working copy and keep only files whose SHA-256 is
# NOT in the NSRL known-good set — the same data-reduction win, on the examiner's platform.
$nsrl = [System.Collections.Generic.HashSet[string]]::new(
[string[]](Get-Content .\nsrl-sha256.txt), [StringComparer]::OrdinalIgnoreCase)
Get-ChildItem -Path E:\case\ -Recurse -File |
ForEach-Object { $h = (Get-FileHash $_.FullName -Algorithm SHA256).Hash
if (-not $nsrl.Contains($h)) { [PSCustomObject]@{ Hash=$h; Path=$_.FullName } } } |
Export-Csv .\review_set.csv -NoTypeInformation # the "interesting" files only
STAGE 2 — ENRICHMENT (each runs on the reduced set; each writes a logged, hashed output)
images → CNN classifier (face/doc/screenshot/currency/...) + perceptual dedup/cluster
scanned/PDF → OCR (Tesseract) → searchable text
audio/video → ASR (Whisper) [+ translate] → transcripts (LEADS, verify vs. source)
all text → NER + link analysis → entity graph
logs/timeline → anomaly scoring (z-score) → ranked deviations
STAGE 3 — PRIORITIZED REVIEW QUEUE (what the examiner opens first)
rank item signal score
1 02:14 file-read spike (j.morales) anomaly z=9.1 ⚑⚑⚑
2 Q3-pricing-model.xlsx NER edge → external proton.me ⚑⚑
3 cluster #318 (41 screenshots) classifier: "source code" ⚑⚑
4 voicemail_0099.m4a ASR: "...send it to my personal" ⚑
...
Every row links to the artifact, the model+version, the threshold, and the input hash.
# STAGE 5 — REPRODUCIBILITY MANIFEST: pin every model so a stranger can replay the pipeline.
manifest = {
"case": "2024-0142",
"tools": {
"hashdeep": "4.4", "ssdeep": "2.14.1", "tesseract": "5.3.4",
"whisper": "medium / 2024-xx", "classifier": "internal-triage-v3 (val acc 0.91, "
"CFReDS-img 2025-01-12)", "ner": "spaCy en_core_web_trf 3.7",
},
"thresholds": {"anomaly_z": 3.0, "dhash_hamming": 10, "classifier_conf": 0.70},
"note": "All outputs are LEADS reviewed by a human; findings cite artifacts, not scores.",
}
Stage 4 — the human review of that queue — is where findings are born, and stage 5's manifest is what makes the whole thing forensic rather than merely fast: a defensible AI-assisted examination is one a stranger can replay and one whose every conclusion traces to an artifact a human confirmed. The full tool inventory lives in Appendix C; the reusable scripts in Appendix B — Python Forensics Toolkit; the command syntax in Appendix H.
Worked example: a vast dataset and a contested video
Return to anchor case #4 — the forensic image analyzed in court — at the level of procedure, law, and ethics only, and let it show both faces of AI in one matter. There are two intertwined tasks: triage a dataset too large to review by hand, humanely and defensibly; and respond when a recording in the case is challenged as synthetic.
Task one — triage at scale, with reduced exposure. The acquired, hashed image holds hundreds of thousands of files. You mount it read-only and export hashed working copies. Known-file filtering against the NSRL removes the operating-system and application noise; perceptual hashing against the lawfully provided known-material hash list flags previously catalogued items as leads, which are handled strictly per the procedure of Chapter 25 and the duties of Chapter 28, with each flagged item hashed and logged and the review interface configured to minimize unnecessary human exposure (thumbnail/grayscale previews; nothing reopened that hashing has already established). A CNN classifier and clustering prioritize the unknown remainder for human review under authority. At no point does a model determine legality; it ranks what a qualified human must judge, and the report records that distinction explicitly. The examiner's well-being is part of the procedure, not an afterthought.
Task two — the contested video. A video is offered into evidence; the defense raises the liar's dividend — it "could be a deepfake." Your task is authentication, not a one-word verdict. You proceed exactly as the chapter taught, building convergence:
1 — Provenance and acquisition. Where did the file come from? You establish the chain of custody from the source device extraction (Chapter 14), confirm the file's hash matches the hashed extraction, and check for C2PA Content Credentials with c2patool — recording whether a credential is present, valid, and what it asserts, and stating plainly that an absence of credentials is silent, not incriminating.
2 — Container and codec metadata. Using the Chapter 20 discipline, you read the MP4 moov/mvhd creation time (1904 epoch), the Encoded date, and the encoder fingerprint: a clip whose writing library is a device encoder is consistent with a camera original, while Lavf/x264 indicates transcoding that demands the same two-handed caution as an edited photo.
3 — The detection battery, with restraint. You run the visual battery — blend-boundary, frequency-domain, eye-reflection and pupil checks, temporal-flicker, and rPPG — and, on the audio track, the spectral and prosody checks. You record each as a score with its caveat, you note the generalization limit (the result's reliability against an unknown generator is itself unknown), and you look for convergence rather than relying on any one number.
4 — Corroboration across independent artifacts. You reconcile the video's internal times against the device's file-system MAC times and the master timeline (Chapter 21), and against any independent record of the event. A recording pulled directly from a hashed extraction, with consistent metadata, a clean acquisition trail, internally coherent timestamps, and no convergent artifacts of synthesis, is authenticated under FRE 901 — and the bare assertion "it could be a deepfake" is met with that evidentiary wall, not with a single detector's score.
CONTESTED-VIDEO AUTHENTICATION — exhibit-12.mp4 (anchor #4, clinical)
Test / artifact Result Weight & caveat
Chain of custody direct from hashed extraction STRONG (Ch.14)
File hash matches extraction integrity confirmed
C2PA credential absent SILENT — neither way
Container creation time consistent w/ device + timeline corroborated (Ch.20/21)
Encoder fingerprint device encoder (not Lavf/x264) consistent w/ original
Detection battery (mean) 0.31 (low) — no convergence consistent w/ authentic*
Independent timeline event corroborated STRONG
Overall authenticated under FRE 901; no convergent evidence of
synthesis; *cannot prove a negative — stated as such.
Every line traces to a hashed artifact; every conclusion carries its limit; the report authenticates provenance and convergence, and never claims a detector "proved" the video real. That restraint is what survives cross-examination — and what the sixth theme demands when a person's liberty rides on whether a recording is believed.
Chain of Custody. Every AI-derived output is a derivative item and must be treated like any evidence you extract. When you export a working copy for a model, save a classifier's flagged set, keep an ASR transcript, or store a detection-battery report, hash it, log its source and the producing tool-and-version ("triage-classifier v3 over working copy of
EX-07.E01, SHA-256 …"), and record the threshold used. A model output you cannot trace back to a hashed input, produced by a named, versioned tool, is not admissible support — it is an unattributable assertion. Templates are in Appendix F.War Story. An examiner once led with a single commercial "deepfake detector" that scored a clip 0.92 "fake," and built a report around it. On cross, opposing counsel established three things in five minutes: the tool's vendor had never published an error rate on the kind of generator at issue, the examiner could not explain why the model produced 0.92, and the same tool scored a known-authentic control clip 0.71. The number evaporated, and with it the witness's credibility. A second examiner on the other side had run the same battery — and reached "consistent with synthesis but not established; here are five convergent indicators and their limits, plus the provenance and acquisition trail." That witness was believed. The score is not the finding; the convergence, the provenance, and the honestly stated limits are.
Common mistakes
- Treating a model score as a finding. A classifier's 0.94, a detector's "fake," an AI summary's confident sentence — each is a lead that a human must confirm against primary evidence. Findings cite artifacts; they never cite a score as proof. This single error underlies most of the others.
- Ignoring the generalization gap. A detector validated at 95% on familiar fakes may be near-coin-flip on the new generator you actually face. Out-of-distribution accuracy is usually unknown and far worse than the headline number; report the limit, do not assume the lab figure.
- Letting the machine flow straight into the report. Skipping the human-review gate — pasting a triage tag, an OCR string, an ASR transcript, or a translation into a finding without verifying it against the source — launders machine error into testimony. OCR mis-reads digits; ASR invents words; translation flattens meaning; summaries hallucinate.
- Confusing absence of a provenance credential with fakery. A stripped or missing C2PA credential is silent — platforms remove them routinely. Absence is a question, not an answer; only a valid credential, or a failed validation, carries weight, and even a valid one attests to history, not to the truth of what is depicted.
- Mistaking PhotoDNA-style matching for content classification. Robust hashing finds known material only; a non-match says nothing about an unknown image, and novel AI-generated material will not match a hash list at all. Knowing what the tool cannot do is as important as running it.
- Failing to pin models and versions. "I used an AI tool" is not reproducible and not admissible. Name the model, the version, the threshold, the validation set, and the error rate, exactly as you pin Autopsy or TSK — reproducibility is admissibility.
- Over-trusting an entity graph or anomaly flag. NER mislabels and co-occurrence is not collusion; an anomaly is a deviation, not a crime. Use them to decide where to read the real evidence, then prove the point with corroborated artifacts.
- Working on originals because "it's just a model run." Models write temp files and pull whole datasets; run them on hashed working copies of a verified image, never the original. Theme #2 does not pause for convenience.
Limitations: knowing when to stop
The honest limits of this chapter are unusually large, because the technology is unusually seductive — and a professional report states them as plainly as its findings. AI outputs are probabilistic and frequently unexplainable. A model emits a score that correlates with truth on data like its training set and degrades, often silently, on data that is not; many models cannot say why, and post-hoc explanations (SHAP, LIME, Grad-CAM) are approximations, not reasons. Detection is losing an arms race. Generators improve faster than detectors, every visual and audio tell has been or will be engineered away, and the central reliability fact — demonstrated by the Deepfake Detection Challenge's collapse from low-80s to ~65% on unseen fakes — is that detectors generalize poorly to new synthesis. A detector's verdict on the fake you most care about is the verdict you can least trust.
Bias is real and consequential. Training-data skew produces demographic disparities (NIST's NISTIR 8280 documented order-of-magnitude differences in face-recognition false-positive rates across groups), dialect and language gaps in transcription and translation, and skewed triage rankings — and a biased lead biases an investigation. Provenance has gaps in both directions. Content Credentials prove history when present and valid, but they are routinely stripped (absence proves nothing), are only as trustworthy as the signer, and attest to a file's history rather than to the reality it depicts; watermarks help only when the generator cooperated and degrade under editing. You can rarely prove the negative. You can fail to find evidence of synthesis, but absence of evidence is not proof of authenticity — and you can flag the likelihood of a fake without recovering proof of how it was made.
And the hardest limit, the fifth theme made concrete: when a clip has been re-encoded by three apps, stripped of every credential, and exists only as a screen recording of a screen recording, the available signals may simply be insufficient to determine authenticity — and "the evidence is insufficient to reach a conclusion" is a valid, professional, court-defensible finding. Forcing a conclusion the data will not support is how examiners are discredited and how the liar's dividend wins. The skill that matters most in AI-assisted forensics is the same one that has mattered in every chapter: knowing the boundary of what your tools can honestly tell you, and stopping there.
Progressive project: add an AI-assisted triage layer to your case file
Continue building your Forensic Case File (the running deliverable from Chapter 5, acquired in Chapters 14–15 and layered with artifacts since). This chapter you add an AI-assisted triage and authenticity layer — and, crucially, you add the discipline that makes machine assistance defensible. Work only on hashed working copies of your verified image; log every model output to your chain-of-custody worksheet with its tool, version, and threshold.
- Reduce before you classify. Hash every file and apply known-file filtering (NSRL/KFF) to drop provably irrelevant files; run fuzzy and perceptual hashing to collapse near-duplicates. Record the before/after counts — your "data reduction" is itself a documented finding.
- Enrich the reduced set. Run a content classifier over the images, OCR over scanned documents and screenshots, ASR over any audio/video (with translation where needed), and NER over the text corpus to build an entity graph. Treat every output as a lead and tag it for human verification.
- Score the timeline for anomalies. Apply a simple, explainable anomaly method (z-score on per-hour events) to your master timeline; record the top deviations and link each to the underlying artifacts that will prove or refute it.
- Authenticate one contested media item. Pick an image or clip in your case and run the full authentication battery: chain of custody, hash, C2PA check with
c2patool, container/encoder metadata, the visual/audio detection tests, and timeline corroboration. Write the result as convergence with limits, never as a single verdict. - Build the reproducibility manifest. Produce the model-and-version manifest (every tool, version, threshold, validation set, and measured error rate) and a one-paragraph methods statement asserting that all AI outputs were human-verified and that findings cite artifacts, not scores. This is what makes your AI use survive Daubert.
Save the reduction counts, the enrichment outputs, the anomaly list, the authentication report, and the reproducibility manifest into the case-file folder. The capstone in Chapter 38 — The Capstone Investigation assembles the whole file; do not let this chapter's machine-made leads enter the record unverified.
Summary
Artificial intelligence wears two faces in the forensic lab, and this chapter taught you to use the one and confront the other without confusing them. As a force multiplier, AI solves the defining problem of modern casework — volume — by spending an examiner's scarce attention where it matters: known-file filtering and the hashing spectrum (cryptographic for exact identity, fuzzy for similarity, perceptual for visual sameness) reduce the haystack; CNN classifiers and object detectors rank images by content; embeddings cluster and de-duplicate; OCR, speech recognition, and translation turn unreadable evidence into searchable leads; named-entity recognition and link analysis surface the network behind a corporate theft; and unsupervised anomaly detection points at the ninety seconds of a million log lines that do not fit. You learned the non-negotiable shape of an AI-assisted examination — read-only and copy-based, fully auditable, with a human gate as the only place a finding is born — and you learned the clinical, procedural handling of robust-hash detection of known illegal material, which finds catalogued content (never classifies the unknown), triggers mandatory process and reporting, and, used with care, reduces the human cost by shielding examiners from exposure.
The second face is synthetic media. You learned how deepfakes are built — autoencoder face-swaps, GANs, diffusion models, reenactment, lip-sync, and voice cloning — and that each leaves traces: blending boundaries (Face X-Ray), lighting and eye-reflection inconsistencies, blink/pupil/teeth tells, temporal flicker, frequency-domain GAN fingerprints, and the missing rPPG heartbeat; in audio, spectral artifacts, flat prosody, and absent breathing and room acoustics; in biometrics, head-pose and identity inconsistencies. You learned the sobering reliability fact — detectors generalize poorly to unseen generators (the DFDC's fall to ~65%) — and therefore the field's strategic turn from catching the fake to proving the real: C2PA Content Credentials (a signed, tamper-evident, JUMBF-embedded provenance manifest, present in cameras like the Leica M11-P), watermarking (SynthID, LLM text watermarks), and known-synthetic hashing — each powerful and each limited (absence proves nothing; a credential attests to history, not truth). You met the double-edged sword in court: AI-generated evidence and hallucinating summaries, the clinical legal line on synthetic illegal material, and the liar's dividend — the deniability that lets the guilty dismiss genuine evidence — answered not by a better detector but by the authentication discipline of FRE 901: provenance, hashes, metadata, corroboration, and convergence with stated limits. Finally you faced the Daubert problem squarely — unknown out-of-distribution error rates, black-box unexplainability, documented bias, nondeterminism, and trade-secret inaccessibility — and adopted the posture the whole chapter exists to instill: AI output is a lead; the human examiner is the accountable author of every finding; you validate, version, and document your tools; and you never present a score you cannot explain as proof. Technology changes — a machine can now write its own evidence — and the method holds: image first, work the copy, corroborate across sources, document everything, and report every finding with its limitations intact.
You can now: - Build an auditable, copy-based AI-assisted triage pipeline — known-file filtering and the hashing spectrum, classification, clustering, OCR/ASR/translation, entity extraction, and anomaly detection — that prioritizes human attention without ever replacing the human gate. - Explain and apply the difference between cryptographic, fuzzy, and perceptual hashing, and handle robust-hash detection of known illegal material clinically and procedurally, including its limits and the mandatory duties it triggers. - Run a deepfake detection battery across visual, audio, and biometric artifacts — and state honestly that detectors generalize poorly to unseen generators, so each result is a corroborated lead, not proof. - Evaluate provenance approaches — C2PA Content Credentials, watermarking, and known-synthetic hashing — reading a credential's presence, validity, and absence correctly, and authenticate contested media under FRE 901 against the liar's dividend. - Articulate the Daubert/FRE 702 reliability, bias, explainability, and reproducibility problems of AI tools, and document a model-and-version manifest that makes machine-assisted work admissible. - Add an AI-assisted triage and authenticity layer to your Forensic Case File, with every machine output traced to a hashed artifact, named tool and version, and human verification.
What's next. Chapter 36 — The Forensic Toolkit — steps back from any single technique to survey the instruments themselves: Autopsy and The Sleuth Kit, FTK and EnCase, Cellebrite and the mobile suites, Volatility for memory, Wireshark for the wire — how to choose them, validate them, and combine open-source and commercial tools into a defensible workflow, with the AI features now embedded in every major suite weighed against exactly the reliability standard this chapter set.
Practice in exercises.md, test yourself with the quiz, apply it in the case studies, review the key takeaways, and go deeper with further reading.